Password Expert Regrets Complex Password Advice

William Burr says he basically got it wrong when it came to password advice

Computer expert William (Bill) Burr, the man who essentially wrote the book on password management, has revealed his regret for his advice about making passwords long and overly complicated.

Back in 2003, Burr was mid-level manager at the US National Institute of Standards and Technology (NIST), and he was the author of “NIST Special Publication 800-6” that advised people about passwords used to secure their accounts.

secure password

Password Regret

Since its initial release nearly fifteen years ago, the NIST advice on passwords has been updated a number of times, most recently in June this year.

72-year old Burr had initially advised people to change their password every 90 days, and he also said that people should complicate their passwords by adding capital letters, numbers and symbols.

Indeed, many tech companies now regularly ban the use of easy to remember passwords.

Microsoft for example in 2016 forced all of its account holders to upgrade their passwords, after the company announced a ban for all simple or commonly used login credentials

It had already banned the use of easy-to-guess passwords (such as password or 12345678) on Hotmail, ever since 2011. But now in an interview with the Wall Street Journal, Burr acknowledges that his 2003 manual was “barking up the wrong tree”.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” he is quoted as saying. “It just drives people bananas and they don’t pick good passwords no matter what you do.

“Much of what I did I now regret.”

What is your biggest cybersecurity concern?

  • Ransomware (28%)
  • Humans / Social Engineering (27%)
  • State sponsored hackers (14%)
  • Malware (14%)
  • Other (7%)
  • Out of date tools (6%)
  • DDoS (4%)

Loading ... Loading ...

And there is little doubt that getting people to secure their accounts with unique and private logins is a good move, but long and complicated passwords often does not help matters.

In reality, partly as a result of the NIST advice and the guidance offered by tech firms, people tend to just pick something short and memorable that meets the criteria needed.

This can make their passwords vulnerable to brute force attacks.

Research from security firm Trustwave in 2015 found that over half of passwords tested could be cracked in less than 24 hours. It also found that 88 percent of passwords could be cracked within two weeks.

At the moment, the current advice is that people should NOT frequently change their passwords, as people tend to only make minor changes, such as turning a password such as ‘Silicon01’ into ‘Silicon02’, which is fairly easy to guess.

Best Practice

In 2015 GCHQ, the UK’s top secret surveillance intelligence agency, offered up its own advice on how consumers can ensure their passwords are fit for purpose.

It said at the time that overly complex passwords is often more of a hindrance than a help. It also recommended a ban on password strength meters, mandatory resets, and predictable combinations.

It should be remembered that people are pretty bad when it comes to using easy passwords.

Research from security firm SplashData for example has previously shown that the world’s most common passwords are ‘123456’, closely followed by ‘password’. These two passwords have topped the list of bad passwords since the survey began in 2011.

Weak passwords are a major factor in many of security breaches, as hackers take advantage of poor controls to hack into company networks. The death of passwords has long been predicted, and for many years biometrics (fingerprints, iris scans, facial recognition) have been touted as the way forward.

Mobile phones increasingly utilise facial recognition or fingerprint scans. And British bank TSB recently claimed it was the first in Europe to let customers access their accounts via an iris scan.

Quiz: What do you know about biometrics?